Creating Encrypted Forensic Images

Recently we have been as by some of our clients to encrypt the forensic images we have collected before leaving their site. Below are two possible solutions to this.

Hardware Capture Method

Using a solo or talon create a standard dd image of the suspect hard drive.As the drive is being imaged, using a forensic laptop, create a TrueCrypt volume on a new ntfs formatted hard drive. Make sure that the TrueCrypt volume size is large that the disk that is being imaged.

When the solo or talon has finished imaging robocopy the dd image to the mounted TrueCrypt volume.

Verify the the image can be opened without any errors.Securely erase the images from the non encrypted drives using your local standard method.

Software Capture Method

Create a TrueCrypt encrypted hard drive formatted as NTFS.This can be done in advance as it will take some time to format and encrypt a 500GB hard drive

Using FTK, EnCase, DD, etc.

Mount the TrueCrypt encrypted drive.Connect the suspect drive to a write blocker.Create a image of the drive as normal to the TrueCrypt mounted drive.When complete robocopy image to another TrueCrypt encrypted "backup" hard drive.

I'd be interested to know how others are dealing with these requests. Has anyone used Seagate's Momentus 5400 FDE.2 drive to accomplish this before ?

Comments

Post a Comment

Popular posts from this blog

Wi-Fi Protected Setup (WPS) was introdused to allow home users with little or no knowelage of wirelss security to set up a wireless network encrypted with WPA or WPA2 as well as making it easy to add new devices to an existing network without entering long passwords/passphrases.

In this example I will be using BackTrack 5 R1 Gnome 32 bit.

You can either boot off the DVD or install it. The creating of a bootable DVD and installing BackTrack is beyond the scope of this tutorial.

I'm assuming you have two network connections one for internet access and one with your wireless adapter that we will be using in this test. In my case I'm using both a wired and wireless adapter. Open up a terminal and run the following commands

apt-get updateapt-get install reaver

Next we need to find out what interface is assigned to your wireless card using the following command.

iwconfig

In my case wlan0Next we need to put the wireless card in to monitor mode.

I recently had to carry out some maintenance on a Linux server hosted on our XenServer. However I had forgotten the root password. Lesson learned to save password in a secure location such as an encrypted usb stick or in an encrypted file on my cell phone. Anyway I digress, on the make it just work section.

From Xencenter select the virtual machine you want to boot in single user mode.

Shut down your virtual machine using the Xencenter controls.

Right click on the Boot Options for your virtual machine and select Properties.

Change the OS Boot Parameters to

rw init=/bin/bash

NOTE If you already have something in the OS Boot Parameters you will need to take note of this as you will need to put it back once the password reset is complete.

I've been playing around with FreeNAS for some time now and have migrated an old Debian server over to FreeNAS in order to make things easier for the non-linux members of our team.

The server hosts all the deployment images for our lab workstations amoung other non-sensitive data. The images are deployed via pxe. more on that to follow in another post.

I recently looked at the BitTorrent service which seems like a good idea. All your torrents are controlled and downloaded to centeral location. Ideal in a lab environment. Downloading the latest version of Ubuntu or OpenOffice is now as simple as dropping the .torrent file in to shared directory and letting FreeNAS take care of the rest.

The majority of the lab workstations are Windows box's so I went to the Transmission website to download the Windows remote client. It was then that I found that Transmission do not have a Windows client.